Malwarebytes Bug Bounty Program Goes Live

The New Acunetix V12 Engine


So Malwarebytes bug bounty program is live, the official name is actually Malwarebytes Coordinated Vulnerability Disclosure Program – what a mouthful (guidelines here).

Malwarebytes Bug Bounty Program Goes Live

It’s good to see, bug bounty programs typically tend to have a nett positive effect and end in win-win situations for researchers and software vendors alike.

In an effort to encourage researchers to responsibly disclose security flaws found in its products, anti-malware company Malwarebytes announced on Monday the launch of a bug bounty program.

The company is prepared to offer between $100 and $1,000 for eligible vulnerabilities, depending on how severe and exploitable they are. Bounty hunters are also offered an entry in the Malwarebytes Hall of Fame and “cool Malwarebytes swag.”

Malwarebytes’ Coordinated Vulnerability Disclosure program covers vulnerabilities found in the company’s products and web services, particularly weaknesses that can lead to remote code execution or sensitive information disclosure. Experts are also encouraged to report crashes and stability issues, but these are generally considered not eligible for a bounty.

In the case of vulnerabilities discovered by Malwarebytes in third-party products, the company’s standard public disclosure deadline is 150 days.


No surprise here, Tavis Ormandy is up to his tricks again and quite possible is the driving force behind the release of this bounty program. As he recently found several pretty serious buggs in Malwarebytes software.

The disclosure period is nice and long too, they give themselves 5 months to fix any bugs found – that seems more than ample.

The launch of Malwarebytes’ bug bounty program comes after Google researcher Tavis Ormandy reported finding several vulnerabilities in the consumer version of Malwarebytes Anti-Malware in early November.

Marcin Kleczynski, the CEO of Malwarebytes, said his company patched several of the vulnerabilities server-side within days and is currently working on releasing a new version that will patch the client-side issues.

“The research seems to indicate that an attacker could use some of the processes described to insert their own code onto a targeted machine. Based on the findings, we believe that this could only be done by targeting one machine at a time,” Kleczynski said. “However, this is of sufficient enough a concern that we are seeking to implement a fix.”

Malwarebytes Anti-Malware Premium users can protect themselves against possible attacks leveraging the flaws reported by Ormandy by enabling the product’s self-protection feature.

It’s pretty good software, I’ve used it quite a few times to disinfect people’s machines. So if you do use it regularly, have a poke around and see if you can find any flaws – might be worthwhile now.

Good old Tavis Ormandy – he’s been poking holes in people’s software for years.

Source: Security Week

Posted in: Exploits/Vulnerabilities

, , , ,


Latest Posts:


Acunetix v12 - Pause & Resume Acunetix v12 – More Comprehensive More Accurate & 2x Faster
Acunetix, the pioneer in automated web application security software, has announced the release of Acunetix v12 - more comprehensive, accurate & 2x faster.
CloudFrunt - Identify Misconfigured CloudFront Domains CloudFrunt – Identify Misconfigured CloudFront Domains
CloudFrunt is a Python-based tool for identifying misconfigured CloudFront domains, it uses DNS and looks for CNAMEs which may be allowed to be associated with CloudFront distributions.
Airbash - Fully Automated WPA PSK Handshake Capture Script Airbash – Fully Automated WPA PSK Handshake Capture Script
Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing, it is compatible with Bash and Android Shell.
XXEinjector - Automatic XXE Injection Tool For Exploitation XXEinjector – Automatic XXE Injection Tool For Exploitation
XXEinjector is an XXE Injection Tool that automates retrieving files using direct and out of band methods. Directory listing only works in Java applications.
Yahoo! Fined 35 Million USD For Late Disclosure Of Hack Yahoo! Fined 35 Million USD For Late Disclosure Of Hack
Ah Yahoo! in trouble again, this time the news is Yahoo! fined for 35 million USD by the SEC for the 2 year delayed disclosure of the massive hack, we actually reported on the incident in 2016 when it became public.
Drupwn - Drupal Enumeration Tool & Security Scanner Drupwn – Drupal Enumeration Tool & Security Scanner
Drupwn is a Python-based Drupal Enumeration Tool that also includes an exploit mode, which can check for and exploit relevant CVEs.


Comments are closed.